Moodle
  1. Moodle
  2. MDL-14624

mnet can't setup a peer when a proxy is in use.

    Details

    • Type: Improvement Improvement
    • Status: Reopened
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 1.9, 2.0
    • Fix Version/s: 2.0.10
    • Component/s: MNet
    • Labels:
      None
    • Affected Branches:
      MOODLE_19_STABLE, MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      The mnet code doesn't contain any checks for proxies. This is actually fairly easy to fix, as using curl through a proxy is used and (proven) in other places. It only requires the routine that scrapes the site title to use download_file_content() - which just works - and to modify the curl call that gets the SSO key to check for proxies - mainly by taking the code from the former function.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Howard Miller added a comment -

            Should now be able to establish link with peer through a HTTP proxy. Mostly uses existing (hence tested hopefully) functions and code snippets.

            Show
            Howard Miller added a comment - Should now be able to establish link with peer through a HTTP proxy. Mostly uses existing (hence tested hopefully) functions and code snippets.
            Hide
            Dan Poltawski added a comment -

            Hi Howard,

            I am just wondering if this works?

            My vague memory was that thought that the mnet handshaking would check that the incoming request comes from the same ip address as dns resolves the host to. So using a proxy would cause that check to fail? (But also, if you are using a proxy and can't get out directly, how does the mnet peer verify who you are and chat back to you?)

            Show
            Dan Poltawski added a comment - Hi Howard, I am just wondering if this works? My vague memory was that thought that the mnet handshaking would check that the incoming request comes from the same ip address as dns resolves the host to. So using a proxy would cause that check to fail? (But also, if you are using a proxy and can't get out directly, how does the mnet peer verify who you are and chat back to you?)
            Hide
            Howard Miller added a comment -

            A very good point that I had not considered. However, it works perfectly from behind my Squid firewall. I can now connect to either Moodle or Mahara and I couldn't before. I'll have a bit more of think about it, and see if I can justify why it works though

            Show
            Howard Miller added a comment - A very good point that I had not considered. However, it works perfectly from behind my Squid firewall. I can now connect to either Moodle or Mahara and I couldn't before. I'll have a bit more of think about it, and see if I can justify why it works though
            Hide
            Howard Miller added a comment -

            Just checking - both Moodle sites report the IP address of the peer machine as it's actual IP address. The presence of the proxy doesn't seem to make any difference. I haven't checked the exact operation, but I guess that if the xmlrpc packet simply contains the originating host name then the IP still resolves correctly and it all works. As long as the path to "get back" is established (proxy or no) then you have a connection. I suppose this means that it doesn't check what the IP was that the request came from!

            Show
            Howard Miller added a comment - Just checking - both Moodle sites report the IP address of the peer machine as it's actual IP address. The presence of the proxy doesn't seem to make any difference. I haven't checked the exact operation, but I guess that if the xmlrpc packet simply contains the originating host name then the IP still resolves correctly and it all works. As long as the path to "get back" is established (proxy or no) then you have a connection. I suppose this means that it doesn't check what the IP was that the request came from!
            Hide
            Petr Skoda added a comment -

            Please consider reverting this in MOODLE_19_STABLE - see MDL-14659

            Show
            Petr Skoda added a comment - Please consider reverting this in MOODLE_19_STABLE - see MDL-14659
            Hide
            Howard Miller added a comment -

            This fix could cause problems, without resolving MDL-14659 so that proxies can be excluded for (typically) local addresses.

            Show
            Howard Miller added a comment - This fix could cause problems, without resolving MDL-14659 so that proxies can be excluded for (typically) local addresses.
            Hide
            Howard Miller added a comment -

            Changes reverted in 1.9. Will leave in HEAD and continue to resolve MDL-14659.

            Show
            Howard Miller added a comment - Changes reverted in 1.9. Will leave in HEAD and continue to resolve MDL-14659 .
            Hide
            Howard Miller added a comment -

            Fixed in HEAD only. MNET now uses Proxy settings if specified, but you can bypass it for specified domains if you so wish.

            Show
            Howard Miller added a comment - Fixed in HEAD only. MNET now uses Proxy settings if specified, but you can bypass it for specified domains if you so wish.
            Hide
            Howard Miller added a comment -

            Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why.

            This really needs that curl code to be put in the library, as the proxy code will be duplicated again and again.

            Show
            Howard Miller added a comment - Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why. This really needs that curl code to be put in the library, as the proxy code will be duplicated again and again.
            Hide
            Penny Leach added a comment -

            Howard is this fixed?

            Show
            Penny Leach added a comment - Howard is this fixed?
            Hide
            Howard Miller added a comment -

            Hi Penny,

            My recollection is that this needs some proper testing still. I'm happy to work on it but I won't have any time for (maybe) a few weeks.

            Howard

            Show
            Howard Miller added a comment - Hi Penny, My recollection is that this needs some proper testing still. I'm happy to work on it but I won't have any time for (maybe) a few weeks. Howard
            Hide
            Penny Leach added a comment -

            ping?

            Show
            Penny Leach added a comment - ping?
            Hide
            Howard Miller added a comment -

            Pung, but moving house this week. Soon!!! Need longer days and less need for sleep

            Show
            Howard Miller added a comment - Pung, but moving house this week. Soon!!! Need longer days and less need for sleep
            Hide
            Penny Leach added a comment -

            ping again!

            (sorry to nag but it's my last moodle hq mnet week)

            Show
            Penny Leach added a comment - ping again! (sorry to nag but it's my last moodle hq mnet week)
            Hide
            Martin Dougiamas added a comment -

            Can I close this?

            Show
            Martin Dougiamas added a comment - Can I close this?
            Hide
            Penny Leach added a comment -

            Martin I think not - the comment from Howard which says:

            >> Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why.

            Makes me think it probably shouldn't be closed, and needs further testing.

            Show
            Penny Leach added a comment - Martin I think not - the comment from Howard which says: >> Doesn't consider mnet/xmlrpc/client.php and server.php. This worked for me without. I wonder why. Makes me think it probably shouldn't be closed, and needs further testing.
            Hide
            Howard Miller added a comment -

            Unless you/we are convinced this works correctly I would note that I never tested this exhaustively with all the possible combinations of inside/outside a proxy.

            Yes I know I should have done - hours/day issues again.

            Show
            Howard Miller added a comment - Unless you/we are convinced this works correctly I would note that I never tested this exhaustively with all the possible combinations of inside/outside a proxy. Yes I know I should have done - hours/day issues again.
            Hide
            Jan Kristoffer Roth added a comment -

            Affects Version 2.5.2 too.
            My solution: add Proxy check under curl_setopt (line 374 in mnet/xmlrpc/client.php)

            // check for proxy
            if (!empty($CFG->proxyhost) and !is_proxybypass($uri)) {
            // SOCKS supported in PHP5 only
            if (!empty($CFG->proxytype) and ($CFG->proxytype == 'SOCKS5')) {
            if (defined('CURLPROXY_SOCKS5'))

            { curl_setopt($httprequest, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); }

            else

            { curl_close($httprequest); print_error( 'socksnotsupported','mnet' ); }

            }

            curl_setopt($httprequest, CURLOPT_HTTPPROXYTUNNEL, false);

            if (empty($CFG->proxyport))

            { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost); }

            else

            { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost.':'.$CFG->proxyport); }

            if (!empty($CFG->proxyuser) and !empty($CFG->proxypassword)) {
            curl_setopt($httprequest, CURLOPT_PROXYUSERPWD, $CFG->proxyuser.':'.$CFG->proxypassword);
            if (defined('CURLOPT_PROXYAUTH'))

            { // any proxy authentication if PHP 5.1 curl_setopt($httprequest, CURLOPT_PROXYAUTH, CURLAUTH_BASIC | CURLAUTH_NTLM); }

            }
            }

            Better Solution would be an single CURL Class (xmlrpc client) for all modules.

            BTW. in some cases (maybe php-versions) you need to add CURLOPT_HTTPHEADER -> Expect:

            Show
            Jan Kristoffer Roth added a comment - Affects Version 2.5.2 too. My solution: add Proxy check under curl_setopt (line 374 in mnet/xmlrpc/client.php) // check for proxy if (!empty($CFG->proxyhost) and !is_proxybypass($uri)) { // SOCKS supported in PHP5 only if (!empty($CFG->proxytype) and ($CFG->proxytype == 'SOCKS5')) { if (defined('CURLPROXY_SOCKS5')) { curl_setopt($httprequest, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5); } else { curl_close($httprequest); print_error( 'socksnotsupported','mnet' ); } } curl_setopt($httprequest, CURLOPT_HTTPPROXYTUNNEL, false); if (empty($CFG->proxyport)) { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost); } else { curl_setopt($httprequest, CURLOPT_PROXY, $CFG->proxyhost.':'.$CFG->proxyport); } if (!empty($CFG->proxyuser) and !empty($CFG->proxypassword)) { curl_setopt($httprequest, CURLOPT_PROXYUSERPWD, $CFG->proxyuser.':'.$CFG->proxypassword); if (defined('CURLOPT_PROXYAUTH')) { // any proxy authentication if PHP 5.1 curl_setopt($httprequest, CURLOPT_PROXYAUTH, CURLAUTH_BASIC | CURLAUTH_NTLM); } } } Better Solution would be an single CURL Class (xmlrpc client) for all modules. BTW. in some cases (maybe php-versions) you need to add CURLOPT_HTTPHEADER -> Expect:

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated: